>Thank you! Do you mean that freeimage copy in those files during the >build process?
If you download the tarball at https://freeimage.sourceforge.io/download.html you'll find that the, once unzipped, it contains a 'Source/LibOpenJPEG' folder that contains about the same files as https://github.com/uclouvain/openjpeg/tree/master/src/lib/openjp2, though older. So, I guess they've copied them manually, even before the build. >If you could update the notes for this CVE it would be nice. I >started >but realized that I had more questions and then it is better if you >do >it who knows the answer. Ok, I'll crete a PR Cyrille Le vendredi 12 avril 2024 à 09:24 +0200, Ola Lundqvist a écrit : > Hi Cyrille > > Thank you! Do you mean that freeimage copy in those files during the > build process? > If you could update the notes for this CVE it would be nice. I > started > but realized that I had more questions and then it is better if you > do > it who knows the answer. > > No hurry since this is for a postponed issue. > > Cheers > > // Ola > > On Fri, 12 Apr 2024 at 09:15, Cyrille Bollu <cyri...@bollu.be> wrote: > > > > FTR, > > > > I did a small analysis, and that's for sure that CVE-2019-12214 > > relates > > to code from openjpeg: Looking at the content of folder > > "LibOpenJpeg" > > in freeimage 'source code show exactly the same files as in > > https://github.com/uclouvain/openjpeg/tree/master/src/lib/openjp2 > > > > However, since freeimage copies those files into its source tree > > rather > > than relying on shared libraries, it should probably still be > > listed as > > a "CPE affected software configuration" for this CVE... > > > > BTW, while freeimage might be dead, libopenjpeg is still alive > > > > BR, > > > > Cyrille > > > >
